aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-08-26 20:03:41 -04:00
Code

patch 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer

Browse Source 
Problem:  heap use-after-free possible when autocommands switch away from the
          quickfix dummy buffer, but leave it open in a window.
Solution: close its windows first before attempting the wipe.
          (Sean Dewar)

related: #17283

Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Sean Dewar 2025-05-10 14:30:36 +02:00 committed by Christian Brabandt
parent 9955c125fa
commit b4074ead5c
No known key found for this signature in database
GPG Key ID: F3F92DA383FDDE09
3 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/quickfix.c
View File

@ -7026,7 +7026,11 @@ load_dummy_buffer(
aucmd_restbuf(&aco); aucmd_restbuf(&aco);
if (newbuf_to_wipe.br_buf != NULL && bufref_valid(&newbuf_to_wipe)) if (newbuf_to_wipe.br_buf != NULL && bufref_valid(&newbuf_to_wipe))
wipe_buffer(newbuf_to_wipe.br_buf, FALSE); {
block_autocmds();
wipe_dummy_buffer(newbuf_to_wipe.br_buf, NULL);
unblock_autocmds();
}
} }
// Add back the "dummy" flag, otherwise buflist_findname_stat() won't // Add back the "dummy" flag, otherwise buflist_findname_stat() won't
@ -7052,8 +7056,8 @@ load_dummy_buffer(
/* /*
* Wipe out the dummy buffer that load_dummy_buffer() created. Restores * Wipe out the dummy buffer that load_dummy_buffer() created. Restores
* directory to "dirname_start" prior to returning, if autocmds or the * directory to "dirname_start" if not NULL prior to returning, if autocmds or
* 'autochdir' option have changed it. * the 'autochdir' option have changed it.
*/ */
static void static void
wipe_dummy_buffer(buf_T *buf, char_u *dirname_start) wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
@ -7095,8 +7099,9 @@ wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
// new aborting error, interrupt, or uncaught exception. // new aborting error, interrupt, or uncaught exception.
leave_cleanup(&cs); leave_cleanup(&cs);
#endif #endif
// When autocommands/'autochdir' option changed directory: go back. if (dirname_start != NULL)
restore_start_dir(dirname_start); // When autocommands/'autochdir' option changed directory: go back.
restore_start_dir(dirname_start);
} }
} }

22
src/testdir/test_quickfix.vim
View File

@ -6899,4 +6899,26 @@ func Test_quickfix_close_buffer_crash()
wincmd q wincmd q
endfunc endfunc
func Test_vimgrep_dummy_buffer_crash()
augroup DummyCrash
autocmd!
" Make the dummy buffer non-current, but still open in a window.
autocmd BufReadCmd * ++once let s:dummy_buf = bufnr()
\| split | wincmd p | enew
" Autocmds from cleaning up the dummy buffer in this case should be blocked.
autocmd BufWipeout *
\ call assert_notequal(s:dummy_buf, str2nr(expand('<abuf>')))
augroup END
silent! vimgrep /./ .
redraw! " Window to freed dummy buffer used to remain; heap UAF.
call assert_equal([], win_findbuf(s:dummy_buf))
call assert_equal(0, bufexists(s:dummy_buf))
unlet! s:dummy_buf
autocmd! DummyCrash
%bw!
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab

2
src/version.c
View File

@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1375,
/**/ /**/
1374, 1374,
/**/ /**/